A small ruby gem (with no dependencies) to help you test a website's SSL certificate.
gem 'ssl-test'
Simply call the SSLTest.test
method and it'll return 3 values:
- the validity of the certificate
- the error message (if any)
- the certificate itself
Example with good cert:
valid, error, cert = SSLTest.test "https://google.com"
valid # => true
error # => nil
cert # => #<OpenSSL::X509::Certificate...>
Example with bad certificate:
valid, error, cert = SSLTest.test "https://testssl-expire.disig.sk"
valid # => false
error # => "error code 10: certificate has expired"
cert # => #<OpenSSL::X509::Certificate...>
If the request fails and we're unable to detemine the validity, here are the returned values:
valid, error, cert = SSLTest.test "https://thisisdefinitelynotawebsite.com"
valid # => nil
error # => "SSL certificate test failed: getaddrinfo: Name or service not known"
cert # => nil
You can also pass custom timeout values:
valid, error, cert = SSLTest.test "https://slowebsite.com", open_timeout: 2, read_timeout: 2
valid # => nil
error # => "SSL certificate test failed: execution expired"
cert # => nil
Default timeout values are 5 seconds each (open and read)
Revoked certificates are detected using OCSP endpoint by default:
valid, error, cert = SSLTest.test "https://revoked.badssl.com"
valid # => false
error # => "SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2019-10-07 20:30:39 UTC)"
cert # => #<OpenSSL::X509::Certificate...>
If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using CRL.
If both OCSP and CRL tests are impossible, the certificate will still be considered valid but with an error message:
valid, error, cert = SSLTest.test "https://sitewithnoOCSPorCRL.com"
valid # => true
error # => "Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: Missing crlDistributionPoints extension"
cert # => #<OpenSSL::X509::Certificate...>
SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby net/https
library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
After that it queries the OCSP endpoint to verify if the certificate has been revoked. If OCSP is not available it'll fetch the CRL instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with OCSP and the intermediate with CRL depending on what they offer.
OCSP and CRL responses are cached in memory, which makes subsequent testing faster and more robust (avoids network error and throttling) but be careful about memory usage if you try to validate millions of certificates in a row.
About the caching duration:
- OCSP responses are cached until their "next_update" indicated inside the repsonse
- OCSP errors are cached for 5 minutes
- CRL responses are cached for 1 hour
CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (Etag
& Last-Modified
) to avoid downloading the list again if it didn't change.
You can check the size of the cache with SSLTest.cache_size
, which returns:
{
crl: {
lists: 5,
bytes: 5123456
},
ocsp: {
responses: 350,
errors: 2,
bytes: 45876
}
}
You can also flush the cache using SSLTest.flush_cache
if you want (not recommended)
You can enable logging by setting SSLTest.logger
, for example:
SSLTest.logger = Rails.logger
SSLTest will log various messages depending on the log level you specify, example:
INFO -- : SSLTest https://www.anonymisation.gov.pf started
DEBUG -- : SSLTest + test_chain_revocation: www.anonymisation.gov.pf
DEBUG -- : SSLTest + OCSP: fetch URI http://servicesca.ocsp.certigna.fr
DEBUG -- : SSLTest + OCSP: 200 OK (4661 bytes)
DEBUG -- : SSLTest + OCSP: ocsp_ok
DEBUG -- : SSLTest + test_chain_revocation: Certigna Services CA
DEBUG -- : SSLTest + OCSP: [false, "Missing OCSP URI in authorityInfoAccess extension", nil]
DEBUG -- : SSLTest + CRL: fetch URI http://crl.certigna.fr/certigna.crl
DEBUG -- : SSLTest + CRL: 200 OK (1152 bytes)
DEBUG -- : SSLTest + CRL: crl_ok
INFO -- : SSLTest https://www.anonymisation.gov.pf finished: revoked=false
Pretty much the same errors curl
will:
- Expired certificates
- Incomplete certificate chain (missing intermediary)
- Self signed certificates
- Valid certs used with incorect hostname
- Untrusted root (if your system is up-to-date)
- And more...
But also revoked certs like most browsers (not handled by curl
)
See also github releases: https://github.com/jarthod/ssl-test/releases
- 1.4.1 - 2022-10-24: Add support for "tcps://" scheme
- 1.4.0 - 2021-01-16: Implemented CRL as fallback to OCSP + expose cache metrics + add logger support
- 1.3.1 - 2020-04-25: Improved caching of failed OCSP responses (#5)
- 1.3.0 - 2020-04-25: Added revoked cert detection using OCSP (#3)
- 1.2.0 - 2018-03-04: Better support for wrong hostname across ruby versions
- 1.1.0 - 2017-01-13: Removed HTTP call, Net::HTTP#start is enough to open the connection and get cert details and validation
- Fork it ( https://github.com/[my-github-username]/ssl-test/fork )
- Create your feature branch (
git checkout -b my-new-feature
) - Make sure the tests are passing (
rspec
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create a new Pull Request